We explain what e-commerce fraud is, the types of e-commerce fraud, how it happens, and top strategies for protecting your organization and your customers.
What is E-Commerce Fraud Protection?
E-commerce fraud is any type of fraud perpetrated on a retail site or platform, including credit card fraud, identity theft, account takeover, and chargeback fraud. E-commerce fraud protection detects attempted fraudulent activity with strategies such as real-time monitoring, machine learning, and card security requirements.
What Is E-Commerce Fraud?
E-commerce fraud is a type of fraud that targets online merchants with the goal of stealing information, making fraudulent transactions, or obtaining goods for free.
As more businesses shift to online retail fraudsters are following the money. Card-not-present (CNP) fraud and account takeovers continue to cause millions in losses each year. Thanks to the growing number of stolen credit card and login details available through dark web marketplaces, these forms of e-commerce fraud are extremely attractive to cybercriminals.
But popular new forms of instant credit payments such as Buy Now Pay Later (BNPL) have also attracted the attention of cybercriminals seeking to make illegal transactions.
In 2021 alone e-commerce losses due to payment fraud topped $20 billion, a 14% increase from the previous year. It’s clear that consumers will continue to rely on e-commerce, and online retailers will have to take a proactive approach to e-commerce fraud protection.
Types of E-Commerce Fraud
E-commerce fraud goes well beyond stolen credit card details. Below we’ll explain some of the most common forms of e-commerce fraud and provide ways you can defend against them.
Card Not Present (CNP) Fraud
Card-not-present fraud occurs when a person makes an unauthorized purchase using stolen credit card information without physical access to the card. CNP fraud can occur anywhere a merchant cannot inspect the physical card.
In addition to dark web marketplaces, fraudsters also acquire credit card information through phishing scams that trick users into entering their payment information into a cloned version of a legitimate e-commerce website. Once the victim enters their payment details, the information is sent to the attackers who then sell them or use them to make fraudulent purchases.
Fraud prevention methods like CVV and Address Verification Service (AVS) can stop some of this fraud, but not all of it. CVV codes are often included in stolen data dumps and retrieved from phishing campaigns, while AVS can be bypassed by a few minutes of online research.
What You Can Do:
- Implement anti-fraud tools that leverage the EMV® 3-D Secure payment protocol
- Keep e-commerce tools, domains, and websites up to date
- Take down phishing sites that impersonate your brand to steal customer payment details
- Limit or block exposure to risky geographic locations
Chargeback Fraud
Chargeback fraud occurs when a purchaser buys a product with the sole intention of initiating a refund and keeping the product. Rather than contacting the online retailer, the customer goes directly to their payment processor to initiate a refund.
When chargeback fraud is done by accident, it’s often referred to as “friendly” fraud. Sometimes customers forget they placed an order, fail to recognize a charge on their statement, or think that a chargeback is another way to initiate a return. Either way, it still hurts revenue, impacts inventory—and is often avoidable.
When chargeback fraud is purposeful, the perpetrator will state they never received the package or claim they never authorized that purchase. When a chargeback occurs the customer is refunded their money and the business is hit with a chargeback fee.
Chargeback fees can quickly cut into a business’s profits. In 2021, Merchants refunded $25.3 billion in fraudulent returns. According to a recent survey, 44% of merchants report experiencing return abuse of some kind over the past 12 months, and 66% say it has been getting worse.
What You Can Do:
- Make return policies easy to find and understand
- Use clear transaction descriptions for credit card statements
- Send auto-renewal reminders and order confirmations when payments have been made
- Apply strong credit card verification methods to identify repeat offenders
- Identify fraudulent behavior through machine learning
Account Takeover (ATO)
Account takeover fraud occurs when a legitimate customer account is hijacked by fraudsters who use that account to steal information, make purchases, and more. This can be particularly challenging to detect since the login occurs under a trusted account.
Cybercriminals can target large organizations in ATO attacks in order to authorize bank transfers or steal company secrets. In e-commerce ATOs, attackers steal customer accounts and abuse their saved payment methods, drain rewards points, or max out their BNPL credit.
ATO attacks now lead to more than $16 billion in annual loss just in the U.S., up 300% from 2019. In addition to impacting revenue, compromised accounts quickly erode the trust between the customer and the brand.
Machine learning-based risk decisioning is one of the best ways to prevent an account takeover. By monitoring metrics such as geolocation, session data, and device ID, e-commerce platforms can quickly identify suspicious login attempts and prevent fraud entirely.
What You Can Do:
- Initiate risk-based authentication to protect accounts automatically
- Support multi-factor authentication (MFA)
- Watch for logins under new devices and locations that don’t match with the customer’s
- Shut down phishing sites and rogue mobile apps before they steal customer logins
Interception Fraud
Interception fraud occurs when a fraudster uses stolen credit card information to make a purchase and intercepts the package in transit. Fraudsters do this in an attempt to bypass address and location verification during checkout.
In most cases, the criminal will call customer service once the transaction has been approved and change the address to their own. The fraudster may even attempt to steal the package as soon as it’s delivered if the victim is local.
What You Can Do:
- Require additional authentication when making changes to orders or account information
- Train customer service to recognize attempted interception fraud
- Provide shipping and billing notifications to customers via email or text
- Deploy solutions that leverage the EMV® 3-D Secure payment protocol
Buy Now Pay Later Fraud
BNPL fraud is expected to rise throughout 2022 as more retailers offer instant financing options. Attackers exploit BNPL systems by creating fake accounts using synthetic identities, account takeover schemes, and phishing scams.
With an account in place, fraudsters put their products on layaway financing with no intention of paying their balance. They receive the goods and simply create a new account to repeat the process.
What You Can Do:
- leverage BNPL protection to automatically block synthetic identities and apply continuous authentication to safeguard BNPL services
- Review transactions to identify patterns of BNPL fraud in progress (high order values, repeat orders using the same credentials, etc.)
- Look for transactions that don’t match established user behavior
Account Enrollment Fraud
Why take over an account when you can use stolen card information to set up an account or rewards program with an online merchant from scratch using synthetic identity data? Today, Synthetic identity theft is one of the fastest-growing financial crimes in the United States, leading to an estimated $20 billion in losses annually.
In these attacks, fraudsters open an account or activate a mobile app using pilfered card information. Since the new user appears legitimate, there is no discrepancy between shipping addresses or contact information—helping them bypass most traditional fraud detection systems.
What You Can Do:
- Require multiple forms of identity proof and running it through external databases
- Deploy solutions that leverage machine learning and identity science to correlate and verify physical and digital identities
Signs of E-Commerce Fraud
E-commerce fraud isn’t always obvious. There are many patterns and behaviors that can indicate fraud but are difficult to manually detect. This is why machine learning and artificial intelligence are such powerful tools in combating fraud.
Below are a few signs that could indicate e-commerce fraud:
- A new device login for an existing account
- An unusual login location that’s atypical for the user
- Mismatched shipping/billing address
- Large purchases of the same product in a single transaction
- Numerous separate orders placed in quick succession
- Multiple orders to the same address with different cards
- The consumer is using a brand new email address
E-Commerce Fraud Protection Strategies
With the signs of e-commerce fraud covered, let’s explore some e-commerce fraud protection strategies that can protect your businesses as well as your customers.
Conduct Site Security Audits
Cybercriminals can exploit vulnerable websites to steal customer payment information. Conduct regular security checks to ensure your site isn’t compromised or vulnerable to attack. A few things to check include the following:
- Updating or removing outdated plugins
- Removing old user accounts
- Enforcing two-factor authentication for your admin login
- Ensuring SSL and HTTPS is working properly
- Scanning for malware and indicators of compromise
- Backing up configurations and website settings
Maintain PCI Compliance
PCI compliance helps protect customer data by enforcing protections that keep your customers and your business secure. Conduct self-assessments and monitor your compliance to avoid potential fraud and steep fines from noncompliance.
The PCI Security Standards Council has numerous resources you can use to implement better e-commerce fraud protection.
Leverage Data Science and Machine Learning
Card issuers, banks, payment processors and merchants should all deploy tools that enhance features built into the EMV® 3-D Secure (3DS) payment standard to prevent transaction fraud.
Case in point: Outseer 3-D Secure builds upon the 3DS standard by combining it with advanced identity science and shared global intelligence to prevent CNP fraud and protect more than $200 billion in CNP transactions per year.
These same advancements in data science and machine learning also power Outseer Fraud Manager, which analyzes behavior and cross-references it with offline and online digital identities and transaction data to detect fraudulent transactions, logins, and new account enrollments—and prevent e-commerce fraud across any channel.
Avoid Shipping to Nonphysical Addresses
Fraudsters often attempt to use P.O. boxes when committing fraud to avoid compromising their own address. While this isn’t always the case, restricting transactions to P.O. boxes can cut down on the amount of fraudulent transactions processed.
Stopping Fraud, Not Transactions
The flip side of e-commerce fraud prevention is customer experience. At a time when shopping cart abandonment continues to impact 75% of all purchases, adding even the slightest customer friction to prevent fraud is a dicey proposition.
Unlike traditional anti-fraud solutions, Outseer products leverage intelligence from 20 billion annual transactions across 6,000 institutions contributing to our global data network and our identity science expertise to prevent 95% of all fraudulent transactions. This reserves step-up challenges for the scant 5% of transactions that ever require additional scrutiny.
By seeing what others can’t, we stop fraud long before an account is created or a fraudulent transaction occurs. To learn how you can protect your customers through the power of frictionless fraud prevention, request a free demo today.
